National Cyber Security Awareness Month is drawing to a close, and the final week has been focused on the growing intersection between cyber and physical security when protecting the nation’s critical infrastructure.
Here at Naked Security our focus during NCSAM has been on what we can do as individuals to better protect ourselves, so we thought we'd personalise this final week's theme and look at how you can protect your critical infrastructure.
Most of our readers come from North America and Western Europe and are probably lucky enough to expect taps that flow, lights that switch on and telephones that ring (when they should). This reliability can breed complacency: we only realise the importance of something when it’s no longer working.
Of course achieving such reliability isn’t simple. If you work in IT you can probably appreciate how much effort goes into keeping a service running 24/7/365 even in relatively benign conditions. Throw in some adversaries and things get a lot harder.
Likewise, it’s easy to overlook the security of IT infrastructure that "just works". Worse yet, it’s likely to be the low level stuff that nobody wants to touch. It’s probably not been patched for years yet it’s absolutely critical for your business.
Here are a few areas to consider:
Power. Today’s uninterruptible power supplies and power bars are pretty clever bits of kit. Unfortunately, anything that’s clever probably has a significant attack surface. Pay particular attention to anything that has an IP interface. It’s likely running an embedded system that needs patching just like your servers.
Server management cards (IBM RSA, HP iLO, Dell DRACs etc): these things are notoriously flakey and hard to manage. If an attacker gets access via one of these cards it is, by design, as good as physical access and game over for your data. They all ship with default passwords which are just a quick Google away, and the difficulty of managing them (often requiring a server reboot) means it’s easy to forget to change them. Worse yet, they also tend to run IPMI (the Intelligent Platform Management Interface), turned on by default. You might not even realise you’re running it but serious security flaws have recently been found in many vendors' implementations.
Given the difficulty of managing these embedded systems, it’s a very wise idea to keep them well firewalled off from your main network and the internet. Only trusted administrators should be given access to their network. However this needs to be supplementary to patching and password management. Isolated networks can sometimes give a false sense of security. Given the complexity of server cabling or VLAN configuration you should plan for mistakes. At some point one of these devices will find its way onto the wrong network.
Lastly, it’s worth pointing out that your switches and routers are computers too. Cisco, particularly, have had a tough time recently with multiple serious IOS vulnerabilities. Again, a separate management network can help but if a vulnerability is exploitable via any IP interface, patching, good passwords and secure management protocols are absolutely essential.